Posted by Rob on 01/24/08 09:23

On Jan 24, 5:33 am, Manuel Lemos <mle...@acm.org> wrote:
> Hello,
>
> on 01/24/2008 03:21 AM Shelly said the following:
>
>
>
>
>
> > The calling code is (The constants are defined earlier.  Also, $fld is
> > an instance of a class that contains information about all of the
> > fields on the form.  The last three are not on the form and the
> > security field was not part of $fld.)
> > ====================
> > $mail = new htmlMimeMail();
> > $mail->setFrom(MAIL_FROM);
> > $mail->setBcc(MAIL_CC);
> > $mail->setSubject(MAIL_SUBJECT);
> > $i = 0;
> > $message = "";
>
> > $html = '<body bgcolor="#CCFFCC">' .
> >    '<strong>From: </strong>' . MAIL_FROM  . '<webmaster@' . MAIL_FROM .
> > '.com><br>' .
> > '<strong>Sent: </strong>' . MAIL_SENT . "<br>" .
> > '<strong>To: </strong>' . MAIL_TO . "<br>" .
> > '<strong>Subject: </strong>' . MAIL_SUBJECT . "<br>" .
> > '<table border="1" align="center"><caption align="top"><b>' .
> > MAIL_SUBJECT . '</b></caption><br>';
>
> > for ($i=0; $i<$fld->size; $i++) {
> >    $message .= $fld->fldDisplay[$i] . ": " . $fld->fldVal[$fld-
> >> fldName[$i]] . "\r\n";
> >    $html .= '<tr><th>' . $fld->fldDisplay[$i] . '</th><td>' .
> >                                                                    $fld->fldVal[$fld->fldName[$i]] . '</td></tr>';
> > }
>
> > $html .= '<tr><th>Security Code Generated</th><td>' .
> > $_POST['securityHidden'] . '</td></tr>';
> > $html .= '<tr><th>Security Code Entered</th><td>' .
> > $_POST['securityCode'] . '</td></tr>';
> > $html .= '<tr><th>User IP Address</th><td>' . getenv("REMOTE_ADDR") .
> > '</td></tr>';
> > $html .= '</table></body>';
>
> I don't know if that is enough to explain it, but you are not encoding
> the values that you insert in the HTML message.
>
> If any values start with < the mail program will process as a tag and
> may not render anything. So the actual code may be there but is not
> being displayed because it is taken as a tag.
>
> Even parts of your static HTML will be omitted like this:
>
> '<webmaster@' . MAIL_FROM .'.com><br>'
>
> All you need to do is to use HtmlSpecialChars() to properly encode your
> values in HTML.
>
> --
>
> Regards,
> Manuel Lemos
>
> PHP professionals looking for PHP jobshttp://www.phpclasses.org/professionals/
>
> PHP Classes - Free ready to use OOP components written in PHPhttp://www.phpclasses.org/- Hide quoted text -
>
> - Show quoted text -

Shelly, I haven't read this (long) thread in detail, but I think you
have a problem I've seen before.

Basically, what stops a spammer looking at the HTML on your page, then
posting content back to the form processor contained in the 'ACTION'?

By doing this, they bypass your page security, and can pass any
information they want to.

You can correct this by generating a known field on the form, lets say
the date and time, or a unique ID, then checking this as the form
results come back.

There is NO SUBSTITUTE for checking the integrity of the data returned
from a form, even if you have client side checking in place.

I may be barking up the wrong tree here, but it certainly sounds like
your problem.

Rob.

[Back to original message]